External risk intelligence

Sophos XG Firewall: Remote Code Execution Risk via Bookmarks Feature.

CVE advisoryKnown Exploit

CVE-2020-15069

A buffer overflow vulnerability in Sophos XG Firewall's HTTP/S Bookmarks feature allows for remote code execution. This impacts organizations by potentially exposing systems to unauthorized access and data compromise. The realistic business risk involves attackers gaining control of affected firewalls.

5Halo Surface Signal

Buffer Overflow

Sophos Xg Firewall Firmware

17.0 to before 17.517.5

External exposure likelihood

Halo Surface Signal score for CVE-2020-15069

The vulnerability affects the clientless access HTTP/S Bookmarks feature of a firewall, which is designed to be a public-facing portal for remote access. As an internet-edge device providing remote services, the affected component is intended to be reachable from the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Sophos XG Firewall versions prior to v17.5 MR12 contain a buffer overflow vulnerability within the HTTP/S Bookmarks feature. This flaw could permit attackers to execute arbitrary code remotely. The potential impact includes unauthorized system access and compromise of data integrity and confidentiality, affecting the organization's operational security and data protection.

  • Vulnerable: Sophos XG Firewall HTTP/S Bookmarks
  • Flaw: Buffer overflow allows remote code execution
  • Impact: Unauthorized access, data compromise

Attack Path

How an attacker could exploit the issue

A network-accessible feature on Sophos XG Firewalls could be exploited by attackers. This exploit allows for remote code execution through a buffer overflow vulnerability. Successful exploitation could grant attackers control over affected systems.

  • Exposed HTTP/S Bookmarks feature.
  • Unauthenticated attackers gain access.
  • Trigger overflow for remote execution.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability allows for remote code execution, enabling attackers to potentially gain complete control over Sophos XG Firewall devices. The exploit requires no authentication and has low complexity, making it accessible to a wide range of attackers. Its presence on CISA's Known Exploited Vulnerabilities catalog indicates active exploitation in the wild.

  • Likely attacker skill: Basic to advanced.
  • Required access: Network access to the User Portal.
  • Business risk: Critical; immediate action required.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Organizations should address this critical vulnerability affecting Sophos XG Firewall to prevent potential remote code execution and data compromise. The vulnerability exists within the HTTP/S Bookmarks feature for clientless access, which is exposed to the network. Swift action is required to identify and remediate affected systems, thereby mitigating business risk and protecting sensitive data.

  • Find exposed Sophos XG Firewalls.
  • Restrict access to the affected feature.
  • Apply the vendor's hotfix.
  • Verify the fix was applied.
  • Monitor for related activity.

Frequently asked questions

What is Sophos XG Firewall and its HTTP/S Bookmarks feature?

Sophos XG Firewall is a network security appliance used by organizations to protect their networks. The HTTP/S Bookmarks feature is part of its clientless access capabilities, allowing users to access internal web resources remotely through the firewall's user portal.

How does CVE-2020-15069 create a remote code execution risk?

CVE-2020-15069 is a buffer overflow vulnerability (CWE-120) in Sophos XG Firewall's HTTP/S Bookmarks feature. This flaw allows an unauthenticated attacker to send specially crafted data, causing the software to overflow its allocated memory buffer, which can lead to the execution of arbitrary code on the firewall.

What are the attacker's preconditions to exploit CVE-2020-15069?

An attacker must have network access to the Sophos XG Firewall's user portal. The vulnerability is triggered through the HTTP/S Bookmarks feature, and does not require any authentication to exploit. It is not triggered if the Bookmarks feature is not enabled or accessible.

Who should be concerned about this Sophos XG Firewall vulnerability?

Any organization using Sophos XG Firewall versions 17.x through v17.5 MR12 should be concerned. The vulnerability is classified as external, meaning it is very likely to be internet-facing, posing a significant risk to organizations with remote access or web-based services exposed through their firewall.

What is the first step to respond to this Sophos XG Firewall vulnerability?

The first step is to identify if your organization is running an affected version of Sophos XG Firewall. If so, apply the vendor-provided hotfix (HF062020.1) or equivalent to remediate the vulnerability and mitigate the risk of remote code execution.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified